Analysis Overview
SHA256
ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0
Threat Level: Known bad
The file ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0 was found to be: Known bad.
Malicious Activity Summary
Gozi_ifsb family
UPX packed file
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-07 18:43
Signatures
Gozi_ifsb family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-07 18:43
Reported
2022-02-07 19:28
Platform
win7-en-20211208
Max time kernel
137s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\114E.tmp\2.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\114E.tmp\2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe
"C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\114E.tmp\11FB.bat C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe"
C:\Users\Admin\AppData\Local\Temp\114E.tmp\2.exe
2.exe
Network
Files
memory/2008-54-0x00000000751B1000-0x00000000751B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\114E.tmp\11FB.bat
| MD5 | a4d54825c48a32efc53e34ea0f588d1c |
| SHA1 | cd5815db470cf3af4d6ce658151eb24fef1c664f |
| SHA256 | a80606f4473428d06cee3e62fd68ec7fc9b99a563260a5ed0d012d76634efe39 |
| SHA512 | 74058d5b0e14ad7b453ed6119e483d3ac3281405f29f2f804c67c0e3b112c68349d8893e8232e3ca93695f43705fcf6a18ec3f6016e68bfe11b1b10a79ba723b |
C:\Users\Admin\AppData\Local\Temp\114E.tmp\2.exe
| MD5 | e05a56a2338be5e71fbdaca8115d76df |
| SHA1 | d5b24d5ea2cf8d9249fbb2902af7cbac003bd0c3 |
| SHA256 | 0d33036c9c34dc32339d9deecca700873959bed8bb0fded4ed978c90441e7714 |
| SHA512 | a68706f9700d2c10c5ffaf1d5a50945341a00e58c851b96cacdfe606b15acb04dfd7c1175ad3d10a502556bca1beadc15c7980652db45237cace179eb2fdf2c4 |
C:\Users\Admin\AppData\Local\Temp\114E.tmp\2.exe
| MD5 | e05a56a2338be5e71fbdaca8115d76df |
| SHA1 | d5b24d5ea2cf8d9249fbb2902af7cbac003bd0c3 |
| SHA256 | 0d33036c9c34dc32339d9deecca700873959bed8bb0fded4ed978c90441e7714 |
| SHA512 | a68706f9700d2c10c5ffaf1d5a50945341a00e58c851b96cacdfe606b15acb04dfd7c1175ad3d10a502556bca1beadc15c7980652db45237cace179eb2fdf2c4 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-07 18:43
Reported
2022-02-07 19:29
Platform
win10v2004-en-20220113
Max time kernel
200s
Max time network
212s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6087.tmp\2.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4872 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe | C:\Windows\system32\cmd.exe |
| PID 4872 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe | C:\Windows\system32\cmd.exe |
| PID 928 wrote to memory of 4768 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\6087.tmp\2.exe |
| PID 928 wrote to memory of 4768 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\6087.tmp\2.exe |
| PID 928 wrote to memory of 4768 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\6087.tmp\2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe
"C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6087.tmp\6098.bat C:\Users\Admin\AppData\Local\Temp\ab6a5fcf478d31181ea0e96f42ad1c2cb2f7dc056cdb7dbc06cb007f75902bf0.exe"
C:\Users\Admin\AppData\Local\Temp\6087.tmp\2.exe
2.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.228.57:443 | tcp | |
| NL | 104.80.228.57:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl3.digicert.com | udp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| NL | 51.124.78.146:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\6087.tmp\6098.bat
| MD5 | a4d54825c48a32efc53e34ea0f588d1c |
| SHA1 | cd5815db470cf3af4d6ce658151eb24fef1c664f |
| SHA256 | a80606f4473428d06cee3e62fd68ec7fc9b99a563260a5ed0d012d76634efe39 |
| SHA512 | 74058d5b0e14ad7b453ed6119e483d3ac3281405f29f2f804c67c0e3b112c68349d8893e8232e3ca93695f43705fcf6a18ec3f6016e68bfe11b1b10a79ba723b |
C:\Users\Admin\AppData\Local\Temp\6087.tmp\2.exe
| MD5 | e05a56a2338be5e71fbdaca8115d76df |
| SHA1 | d5b24d5ea2cf8d9249fbb2902af7cbac003bd0c3 |
| SHA256 | 0d33036c9c34dc32339d9deecca700873959bed8bb0fded4ed978c90441e7714 |
| SHA512 | a68706f9700d2c10c5ffaf1d5a50945341a00e58c851b96cacdfe606b15acb04dfd7c1175ad3d10a502556bca1beadc15c7980652db45237cace179eb2fdf2c4 |
C:\Users\Admin\AppData\Local\Temp\6087.tmp\2.exe
| MD5 | e05a56a2338be5e71fbdaca8115d76df |
| SHA1 | d5b24d5ea2cf8d9249fbb2902af7cbac003bd0c3 |
| SHA256 | 0d33036c9c34dc32339d9deecca700873959bed8bb0fded4ed978c90441e7714 |
| SHA512 | a68706f9700d2c10c5ffaf1d5a50945341a00e58c851b96cacdfe606b15acb04dfd7c1175ad3d10a502556bca1beadc15c7980652db45237cace179eb2fdf2c4 |
memory/2324-145-0x0000023CAB3E0000-0x0000023CAB3E4000-memory.dmp